Work around bizarre Convergence/SSL Observatory interactions

pde · pde · commit 7081925bea4e · 2011-10-20T17:11:00.000-07:00
Convergence actually MITMS Firefox using a local root CA it makes and installs in your trust root. It does this because of https://bugzilla.mozilla.org/show_bug.cgi?id=644640. Normally the SSL Observatory ignores such chains, but if the user has select "submit certs from alternative roots", we should avoid sending the local root CA cert, since it functions like a tracking ID. This is just a first step towards better Convergence/SSL Observatory interoperation.
diff --git a/src/components/ssl-observatory.js b/src/components/ssl-observatory.js
@@ -331,7 +331,7 @@ SSLObservatory.prototype = {
       }
     }
 
-    if (!this.myGetBoolPref("alt_roots"))
+    if (!this.myGetBoolPref("alt_roots")) {
       if (rootidx == -1 || (fps.length > 1 && !(fps[rootidx] in this.public_roots))) {
         if (rootidx == -1) {
           rootidx = fps.length-1;
@@ -340,6 +340,23 @@ SSLObservatory.prototype = {
                  +domain+" with root "+fps[rootidx]);
         return;
       }
+    } else {
+      // Convergence currently performs MITMs against the Firefox in order to
+      // get around https://bugzilla.mozilla.org/show_bug.cgi?id=644640.  The
+      // end-entity cert produced by Convergence contains a copy of the real
+      // end-entity cert inside an X509v3 extension.  For now we submit the
+      // synthetic end-entity cert but avoid the root CA cert above it, which would
+      // function like a tracking ID.  If anyone knows how to parse X509v3
+      // extensions in JS, we should do that instead.
+      var convergence = Components.classes['@thoughtcrime.org/convergence;1'];
+      if (convergence) 
+        convergence = convergence.getService().wrappedJSObject;
+      if (convergence && convergence.enabled) {
+        this.log(INFO, "Convergence uses its own root CAs; not submitting those");
+        certArray = certArray.slice(0,1);
+        fps = fps.slice(0,1);
+      }
+    }
 
     if (fps[0] in this.already_submitted) {
       this.log(INFO, "Already submitted cert for "+domain+". Ignoring");
